We use cookies to ensure that we give you the best experience on our website. By
continuing to browse, we are assuming that you have no objection in accepting cookies.
You can change your cookie
settings at any time.

What is a drive-by download?

A drive-by download is a program that is automatically installed on your computer when you’re visiting a booby-trapped website or viewing a HTML e-mail message. The malicious program is downloaded to your computer without your consent or knowledge, without your having to click on a link on the page or in the e-mail.

Speakers showed how easy it is to craft such an attack in a presentation at the RSA Conference in San Francisco, held in February 2011. According to them, hackers can manipulate a visitor's computer without permission by using a simple PDF that contains malicious code.

A study released by Google in December 2010 warned about "very high levels" of drive-by downloads attacks. This situation is a direct result of Web 2.0, Google found. The typical Web portal now uses many complex applications on top of the simple Web browser, making the Web 2.0 a fertile breeding ground for malware. Links, blog postings, shared applications and syndicated traffic are all backdoor opportunities for unknown exploits to invade legitimate sites.

“On a financial services website, the malware will try to log the keystrokes. There were days when an attacker had to guess the user's credentials, now there is a new method of attack and you can infect a website with a bad page”, the report said.

Unfortunately, the idea that URLs containing malicious software reside only in the darker corners of the Internet is simply not true anymore. A well-known example was the official website of BBC radio that was hacked In February 2011 and was linked to an injected iframe.

How to avoid drive-by downloads

To minimize the risk of drive-by downloads, you should keep your browser and your internet security software updated at all times. Also install all Windows patches as soon as they are released and don’t click on links in unsolicited or otherwise dubious e-mails.